[
http://jira.codehaus.org/browse/MNG-4626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=217078#action_217078
]
Brett Porter edited comment on MNG-4626 at 4/7/10 6:24 PM:
-----------------------------------------------------------
can I sum up, between the two issues, that you want Maven to not decrypt the
password in settings.xml, and that Artifactory is using the same algorithm and
master key ? So a suitable escaping mechanism (that works as documented on the
page) would be sufficient? That should be fine to do, but I otherwise agree
using https for your repository is a better option all around.
was (Author: brettporter):
can I some up, between the two issues, that you want Maven to not decrypt
the password in settings.xml, and that Artifactory is using the same algorithm
and master key ? So a suitable escaping mechanism (that works as documented on
the page) would be sufficient? That should be fine to do, but I otherwise agree
using https for your repository is a better option all around.
> Avoid cleartext passwords over http
> -----------------------------------
>
> Key: MNG-4626
> URL: http://jira.codehaus.org/browse/MNG-4626
> Project: Maven 2 & 3
> Issue Type: Improvement
> Components: General
> Affects Versions: 3.0-alpha-7
> Reporter: Brendan Lawlor
>
> The current encryption scheme implemented by Maven avoids the use of
> cleartext passwords on local files by allowing them to be encrypted locally
> and decrypted just before the maven client requests from or deploys to a
> central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by
> Artifactory, where passwords are _transmitted_ encrypted, and only decrypted
> on the server side by the repository. Requests and deployments are made over
> http and transmitted in the clear. Where the passwords are system passwords
> integrated to Active Directory or similar using LDAP, this is not an option
> even within a company's LAN. I like the idea of where Nexus and the Maven
> development stack in general is going (I listened to Jason's seminar recently
> and I'm keen on much of where you are going). But passwords in the clear over
> http is a showstopper and I'm surprised you haven't already borrowed this
> idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext
> passwords has been mentioned by a colleague of mine in MNG-4611. We currently
> use Artifactory for EXACTLY this reason (the password encryption) and maven
> logs loudly about the fact that the passwords are encrypted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
